Red Hat Bugzilla – Bug 164729
Latest policy prevents httpd startup
Last modified: 2007-11-30 17:11:10 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: The latest SELinux targeted policy prevents httpd from accessing the standard document root under /var/www/html. Therefore httpd doesn't start up anymore. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.3-6, httpd-2.0.54-10 How reproducible: Always Steps to Reproduce: 1. service httpd start 2. 3. Actual Results: # service httpd start Starting httpd: [FAILED] During boot you can see an additional console message saying "Syntax error line XYZ in httpd.conf: DocumentRoot must be a directory". Expected Results: httpd should start up. Additional info: Excerpt from /var/log/audit/audit.log: type=AVC msg=audit(1122785657.244:12643695): avc: denied { search } for pid=3650 comm="httpd" name="www" dev=hda3 ino=917661 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir type=SYSCALL msg=audit(1122785657.244:12643695): arch=40000003 syscall=195 success=no exit=-13 a0=91f3758 a1=bfe8a314 a2=463ff4 a3=bfe8a314 items=1 pid=3650 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1122785657.244:12643695): cwd="/" type=PATH msg=audit(1122785657.244:12643695): item=0 name="/var/www/html" flags=1 inode=917661 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00 httpd starts up fine when run by hand outside of auditd control. When I downgrade to the previous selinux-policy-targeted-1.25.2-4 http starts up fine.
Did you have httpd_builtin_scripting turned off? getsebool httpd_builtin_scripting It needs to be turned on for this to work. setsebool -P httpd_builtin_scripting=1
Yes, that was switched off. When I enable it httpd starts again. Is this a new setting? Or is this something new in the policy? It should be mentioned in the update notice so that others don't have the same problem. Or enable it by default in the new policy. Resolved as NOTABUG.
It is fairly new to policy. I do not recall if it was there before in RHEL4. By default it should be set to true in /etc/selinux/targeted/booleans? Dan
I have the same problem. Running, "setsebool -P httpd_builtin_scripting=1" does fix the problem for me. However, although /etc/selinux/targeted/booleans does indeed specify, "httpd_builtin_scripting=1", this variable wasn't set in my running kernel until I forced it with setsebool. Is the a problem with the selinux rpm's not reading /etc/selinux/targeted/booleans? # cat /proc/version Linux version 2.6.14-1.1644_FC4 (bhcompile@hs20-bc1-1.build.redhat.com) (gcc version 4.0.1 20050727 (Red Hat 4.0.1-5)) #1 Sun Nov 27 03:25:11 EST 2005 # rpm -qa|egrep "policy|selinux" selinux-doc-1.19.5-1 policycoreutils-1.27.2-1.2 selinux-policy-targeted-1.27.1-2.16 checkpolicy-1.23.1-1 libselinux-devel-1.23.10-2 libselinux-1.23.10-2 selinux-policy-targeted-sources-1.27.1-2.16 #